From 9b9cc23c1f93d86fa4997b182bb65bdf8f2d0a25 Mon Sep 17 00:00:00 2001
From: Jayson Reis <santosdosreis@gmail.com>
Date: Tue, 20 Oct 2020 20:58:27 +0200
Subject: [PATCH 1/2] Add support for kafka auth using SASL with PLAIN
 mechanism

---
 pkg/config/env.go                       |  3 +++
 pkg/handler/data_recorder_kafka.go      | 16 +++++++++++++++-
 pkg/handler/data_recorder_kafka_test.go | 13 +++++++++++++
 pkg/handler/export.go                   |  3 ++-
 4 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/pkg/config/env.go b/pkg/config/env.go
index c249d23e..e43c50ec 100644
--- a/pkg/config/env.go
+++ b/pkg/config/env.go
@@ -134,6 +134,9 @@ var Config = struct {
 	RecorderKafkaKeyFile        string        `env:"FLAGR_RECORDER_KAFKA_KEYFILE" envDefault:""`
 	RecorderKafkaCAFile         string        `env:"FLAGR_RECORDER_KAFKA_CAFILE" envDefault:""`
 	RecorderKafkaVerifySSL      bool          `env:"FLAGR_RECORDER_KAFKA_VERIFYSSL" envDefault:"false"`
+	RecorderKafkaSimpleSSL      bool          `env:"FLAGR_RECORDER_KAFKA_SIMPLE_SSL" envDefault:"false"`
+	RecorderKafkaUsername       string        `env:"FLAGR_RECORDER_KAFKA_USERNAME" envDefault:""`
+	RecorderKafkaPassword       string        `env:"FLAGR_RECORDER_KAFKA_PASSWORD" envDefault:""`
 	RecorderKafkaVerbose        bool          `env:"FLAGR_RECORDER_KAFKA_VERBOSE" envDefault:"true"`
 	RecorderKafkaTopic          string        `env:"FLAGR_RECORDER_KAFKA_TOPIC" envDefault:"flagr-records"`
 	RecorderKafkaRetryMax       int           `env:"FLAGR_RECORDER_KAFKA_RETRYMAX" envDefault:"5"`
diff --git a/pkg/handler/data_recorder_kafka.go b/pkg/handler/data_recorder_kafka.go
index fb44ef66..61056d06 100644
--- a/pkg/handler/data_recorder_kafka.go
+++ b/pkg/handler/data_recorder_kafka.go
@@ -36,11 +36,19 @@ var NewKafkaRecorder = func() DataRecorder {
 		config.Config.RecorderKafkaKeyFile,
 		config.Config.RecorderKafkaCAFile,
 		config.Config.RecorderKafkaVerifySSL,
+		config.Config.RecorderKafkaSimpleSSL,
 	)
 	if tlscfg != nil {
 		cfg.Net.TLS.Enable = true
 		cfg.Net.TLS.Config = tlscfg
 	}
+
+	if config.Config.RecorderKafkaUsername != "" && config.Config.RecorderKafkaPassword != "" {
+		cfg.Net.SASL.Enable = true
+	}
+	cfg.Net.SASL.User = config.Config.RecorderKafkaUsername
+	cfg.Net.SASL.Password = config.Config.RecorderKafkaPassword
+
 	cfg.Producer.RequiredAcks = sarama.WaitForLocal
 	cfg.Producer.Retry.Max = config.Config.RecorderKafkaRetryMax
 	cfg.Producer.Flush.Frequency = config.Config.RecorderKafkaFlushFrequency
@@ -77,7 +85,7 @@ var NewKafkaRecorder = func() DataRecorder {
 	}
 }
 
-func createTLSConfiguration(certFile string, keyFile string, caFile string, verifySSL bool) (t *tls.Config) {
+func createTLSConfiguration(certFile string, keyFile string, caFile string, verifySSL bool, simpleSSL bool) (t *tls.Config) {
 	if certFile != "" && keyFile != "" && caFile != "" {
 		cert, err := tls.LoadX509KeyPair(certFile, keyFile)
 		if err != nil {
@@ -98,6 +106,12 @@ func createTLSConfiguration(certFile string, keyFile string, caFile string, veri
 			InsecureSkipVerify: !verifySSL,
 		}
 	}
+
+	if simpleSSL {
+		t = &tls.Config{
+			InsecureSkipVerify: !verifySSL,
+		}
+	}
 	// will be nil by default if nothing is provided
 	return t
 }
diff --git a/pkg/handler/data_recorder_kafka_test.go b/pkg/handler/data_recorder_kafka_test.go
index af32f863..c0c39550 100644
--- a/pkg/handler/data_recorder_kafka_test.go
+++ b/pkg/handler/data_recorder_kafka_test.go
@@ -42,6 +42,7 @@ func TestCreateTLSConfiguration(t *testing.T) {
 			"./testdata/certificates/alice.key",
 			"./testdata/certificates/ca.crt",
 			true,
+			false,
 		)
 		assert.NotZero(t, tlsConfig)
 
@@ -50,8 +51,18 @@ func TestCreateTLSConfiguration(t *testing.T) {
 			"",
 			"",
 			true,
+			false,
 		)
 		assert.Zero(t, tlsConfig)
+
+		tlsConfig = createTLSConfiguration(
+			"",
+			"",
+			"",
+			true,
+			true,
+		)
+		assert.NotZero(t, tlsConfig)
 	})
 
 	t.Run("cert or key file not found", func(t *testing.T) {
@@ -61,6 +72,7 @@ func TestCreateTLSConfiguration(t *testing.T) {
 				"./testdata/certificates/not_found.key",
 				"./testdata/certificates/ca.crt",
 				true,
+				false,
 			)
 		})
 	})
@@ -72,6 +84,7 @@ func TestCreateTLSConfiguration(t *testing.T) {
 				"./testdata/certificates/alice.key",
 				"./testdata/certificates/not_found.crt",
 				true,
+				false,
 			)
 		})
 	})
diff --git a/pkg/handler/export.go b/pkg/handler/export.go
index d890e302..285a94d6 100644
--- a/pkg/handler/export.go
+++ b/pkg/handler/export.go
@@ -7,6 +7,7 @@ import (
 	"io/ioutil"
 	"math/rand"
 	"os"
+	"path"
 
 	"github.com/checkr/flagr/pkg/entity"
 	"github.com/checkr/flagr/swagger_gen/restapi/operations/export"
@@ -25,7 +26,7 @@ var exportSQLiteHandler = func(p export.GetExportSqliteParams) middleware.Respon
 }
 
 var exportSQLiteFile = func(excludeSnapshots *bool) (file io.ReadCloser, done func(), err error) {
-	fname := fmt.Sprintf("/tmp/flagr_%d.sqlite", rand.Int31())
+	fname := path.Join(os.TempDir(), fmt.Sprintf("flagr_%d.sqlite", rand.Int31()))
 	done = func() {
 		os.Remove(fname)
 		logrus.WithField("file", fname).Debugf("removing the tmp file")

From 88b13a2b6e90cf89760aa20fe61f341e3bd3e99a Mon Sep 17 00:00:00 2001
From: Jayson Reis <santosdosreis@gmail.com>
Date: Fri, 23 Oct 2020 09:12:14 +0200
Subject: [PATCH 2/2] Rename env variables

---
 pkg/config/env.go                  | 4 ++--
 pkg/handler/data_recorder_kafka.go | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/pkg/config/env.go b/pkg/config/env.go
index e43c50ec..6845f186 100644
--- a/pkg/config/env.go
+++ b/pkg/config/env.go
@@ -135,8 +135,8 @@ var Config = struct {
 	RecorderKafkaCAFile         string        `env:"FLAGR_RECORDER_KAFKA_CAFILE" envDefault:""`
 	RecorderKafkaVerifySSL      bool          `env:"FLAGR_RECORDER_KAFKA_VERIFYSSL" envDefault:"false"`
 	RecorderKafkaSimpleSSL      bool          `env:"FLAGR_RECORDER_KAFKA_SIMPLE_SSL" envDefault:"false"`
-	RecorderKafkaUsername       string        `env:"FLAGR_RECORDER_KAFKA_USERNAME" envDefault:""`
-	RecorderKafkaPassword       string        `env:"FLAGR_RECORDER_KAFKA_PASSWORD" envDefault:""`
+	RecorderKafkaSASLUsername   string        `env:"FLAGR_RECORDER_KAFKA_SASL_USERNAME" envDefault:""`
+	RecorderKafkaSASLPassword   string        `env:"FLAGR_RECORDER_KAFKA_SASL_PASSWORD" envDefault:""`
 	RecorderKafkaVerbose        bool          `env:"FLAGR_RECORDER_KAFKA_VERBOSE" envDefault:"true"`
 	RecorderKafkaTopic          string        `env:"FLAGR_RECORDER_KAFKA_TOPIC" envDefault:"flagr-records"`
 	RecorderKafkaRetryMax       int           `env:"FLAGR_RECORDER_KAFKA_RETRYMAX" envDefault:"5"`
diff --git a/pkg/handler/data_recorder_kafka.go b/pkg/handler/data_recorder_kafka.go
index 61056d06..17e1d6e5 100644
--- a/pkg/handler/data_recorder_kafka.go
+++ b/pkg/handler/data_recorder_kafka.go
@@ -43,11 +43,11 @@ var NewKafkaRecorder = func() DataRecorder {
 		cfg.Net.TLS.Config = tlscfg
 	}
 
-	if config.Config.RecorderKafkaUsername != "" && config.Config.RecorderKafkaPassword != "" {
+	if config.Config.RecorderKafkaSASLUsername != "" && config.Config.RecorderKafkaSASLPassword != "" {
 		cfg.Net.SASL.Enable = true
+		cfg.Net.SASL.User = config.Config.RecorderKafkaSASLUsername
+		cfg.Net.SASL.Password = config.Config.RecorderKafkaSASLPassword
 	}
-	cfg.Net.SASL.User = config.Config.RecorderKafkaUsername
-	cfg.Net.SASL.Password = config.Config.RecorderKafkaPassword
 
 	cfg.Producer.RequiredAcks = sarama.WaitForLocal
 	cfg.Producer.Retry.Max = config.Config.RecorderKafkaRetryMax